12.05.2016
SQL Server 2016
Security Obscurity and Encryption
Andreas Wolter Owner: Sarpedon Quality Lab Database Architect | MCSM, MCM, MVP 1
Andreas Wolter
Consultant, Trainer & Speaker Microsoft Certified Master SQL Server 2008 + Solutions Master Data Platform (SQL Server 2012) • Datawarehouse & OLTP-System Architecture • Performance Tuning • Security
Email: [email protected] Web: www.andreas-wolter.com Blog: www.insidesql.org/blogs/andreaswolter/ Facebook: www.facebook.com/SarpedonQualityLab LinkedIn: www.linkedin.com/in/andreaswolter Twitter: @AndreasWolter
SQL Server SSAS, SSRS, SSIS
3
1 12.05.2016
Agenda
Intro: SQL Server under Attack Overview of Investments for 2016 Application Access
Row level Security, Dynamic Data Masking
Demo
Side-Channel Attacks Data Encryption
Always Encrypted
Demo
A word on SQL-Injection Q&A
4
SQL Server under Attack
5
2 12.05.2016
Note
Encryption at rest does not protect against all attacks In fact no protection alone protects all attack surfaces or attack vectors
6
7
3 12.05.2016
9
10
4 12.05.2016
RLS Limitations
• Does not protect against ad-hoc access (Side channel attacks are possible)! • incompatible with Filestream • incompatible with Polybase • No indexed views • Change Data Capture & CT can leak data
11
RLS: Learn More
Books Online https://msdn.microsoft.com/en-us/library/dn765131.aspx SQL Security Blog (keyword RLS) http://blogs.msdn.com/b/sqlsecurity/archive/tags/rls/ Overview blog post http://blogs.technet.com/b/dataplatforminsider/archive/2016/01/21/limiting-access-to-data-using-row-level- security.aspx Channel 9 Videos https://channel9.msdn.com/Shows/Data-Exposed/Row-Level-Security-Updates https:// channel9.msdn.com/Shows/Data-Exposed/Row-Level-Security-in-Azure-SQL-Database https://channel9.msdn.com/Shows/Data-Exposed/SQL-Server-2016-Row-Level-Security Code Samples https://rlssamples.codeplex.com/
12
5 12.05.2016
13
14
6 12.05.2016
Dynamic Data Masking: Learn More
Getting Started (Azure SQL DB) https://azure.microsoft.com/documentation/articles/sql-database-dynamic-data-masking-get-started/
MSDN (SQL Server) https://msdn.microsoft.com/library/mt130841.aspx
Blogs http://blogs.msdn.com/b/sqlsecurity/archive/2015/10/22/dynamic-data-masking-highlighting-the-latest- improvements.aspx https://azure.microsoft.com/blog/limit-the-exposure-of-sensitive-data-in-azure-sql-database-using- dynamic-data-masking/
Channel 9 Videos: https://channel9.msdn.com/Shows/Data-Exposed/Dynamic-Data-Masking-Updates https://channel9.msdn.com/Shows/Data-Exposed/Dynamic-Data-Masking-in-Azure-SQL-Database
15
Dynamic Data Masking Limitations
• A masking rule cannot be defined for the following column types: • Computed columns (whether persisted or not)
• – but will be masked if one of the refered columns is • Encrypted columns (Always Encrypted)
• Since SQL Server really does not know the plain data • Generated always (temporal) • FILESTREAM • COLUMN_SET
16
7 12.05.2016
Sample Health Care Application
DDM & RLS
17
18
8 12.05.2016
Always Encrypted Prevents Data Disclosure SQL Server 2016 SQL Database (GA) Application Transparency Queries against Encrypted Data
Helps With
Protection from high-privileged, yet unauthorized users
Compliance Scenarios
Health, finance, insurance
19
Health Care Demo Cont’d
Always Encrypted How it looks: Using it all Together
20
9 12.05.2016
21
Always Encrypted Limitations
• https://msdn.microsoft.com/en-us/library/mt163865.aspx • http://blogs.sqlsentry.com/aaronbertrand/t-sql-tuesday-69-always-encrypted- limitations/ • Unsupported data types • xml, rowversion, image, ntext, text, sql_variant, hierarchyid, geography, geometry, alias, user defined-types • FILESTREAM, non-bin2 collations, ROWGUIDCOL, Sparse column set • Columns referenced by statistics • default constraints • Columns that are masked • temporal tables • memory optimized tables • Stretched tables • Not supported Features: • Transactional or merge replication
22
10 12.05.2016
Always Encrypted: Learn More
Books Online https://msdn.microsoft.com/en-us/library/mt163865.aspx
SQL Security Blog (keyword Always Encrypted) http://blogs.msdn.com/b/sqlsecurity/archive/tags/always+encrypted/
Channel 9 Videos https://channel9.msdn.com/Shows/Data-Exposed/SQL-Server-2016-Always- Encrypted https://channel9.msdn.com/Shows/Data-Exposed/Getting-Started-with-Always- Encrypted-with-SSMS
23
Other security enhancements
Audit success/failure of database operations Enhanced auditing for OLTP with ability to track history of record changes Transparent Data Encryption support for storage of In-memory OLTP Tables Backup encryption now supported with compression Transparent Data Encryption with support for Intel AES-NI hardware acceleration
11 12.05.2016
Azure SQL Database Threat Detection
4 PM
Azure SQL Database Security - Microsoft product team
Ron Matchoro (Microsoft)
Dome 3
27
Q&A
28
12 12.05.2016
Thank you
Andreas Wolter
Contact: [email protected] LinkedIn: www.linkedin.com/in/AndreasWolter Twitter: @AndreasWolter
29
Sarpedon Quality Lab: Your Specialist for Database-Systems based on SQL Server Technologies We are one of only 2 companies worldwide who have reached the highest technical certifications from Microsoft for SQL Server 2008 as well as SQL Server 2012!
We love to support you and use our know-how to your advantage.
our Services cover: • SQL Server Health checks • Performance Analysis & Tuning • Disaster-Recovery & SLA-Compliance-Checks • Security-Checks • Data Rescue in case of corruption • Architecture-Planning, Consulting and Implementation
• Training:
Ask us: [email protected] 30
13